gh-release-pipeline
Pass
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [SAFE]: The skill demonstrates strong security posture by recommending GitHub Environments for secret management and explicitly instructing users to pin third-party actions to full commit SHAs.
- [COMMAND_EXECUTION]: The skill generates workflows that execute automated build, test, and release commands. These include recursive-trigger protections using
[skip ci]message guards and job-level concurrency groups to prevent race conditions during publishing. - [EXTERNAL_DOWNLOADS]: The skill references several well-known and official GitHub Actions such as
cycjimmy/semantic-release-action,goreleaser/goreleaser-action, andaxodotdev/cargo-dist-actionto handle specialized release tasks across different language ecosystems. - [SAFE]: Indirect attack surface analysis: The system relies on git commit history to drive versioning logic via semantic-release. This inherent surface is addressed by recommending Conventional Commits and maintaining verification jobs as mandatory gates for both PRs and automated releases.
Audit Metadata